Unnecessary syslog header was recorded from 0:00 to 9:00 on Jan 1, 2015 of JST(UTC+9:00)
Unnecessary syslog header was recorded from 0:00 to 9:00 on Jan 1, 2015 of JST(UTC+9:00).
Example
-----
<133>Dec 31 23:55:04 OTSS0101 OTxx01xx: warning
<133>Jan 1 00:20:12 10.70.0.32 Jan 01 00:21:51 OTSS0101 OTxx01xx: critical
--
<133>Jan 1 08:00:15 10.70.0.32 Jan 01 08:01:52 OTSS0101 OTxx01xx: critical
<133>Jan 1 09:01:51 OTSS0101 OTxx01xx: critical
-----
I use the following input and output.
-----
input
Module im_udp
Exec parse_syslog_bsd();
--
output
Module om_file
Exec to_syslog_bsd();
-----
Is this known behavior?
This is pretty strange. A syslog header is only appended by to_syslog_bsd() when the input (i.e. $raw_event) does not contain a valid syslog header and parse_syslog_bsd() fails to parse it.
$raw_event = "<133>Jan 01 00:21:51 OTSS0101 OTxx01xx: critical";
parse_syslog_bsd();
to_syslog_bsd();
log_info($raw_event);
This gives the following output:
<133>Jan 1 00:21:51 OTSS0101 OTxx01xx: critical
So it works fine here.
It's possible that the underlying C library calls returned an error when the date was parsed which resulted in parse_syslog_bsd() failing. What platform are you running this on?
Note that to_syslog_bsd() can be safely removed and that should prevent from happening again.